Establish and maintain policies and procedures for contracted staff.

UCF ID: 00778

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj F.2; CobiT, Version 4.1, PO4.14; The Standard of Good Practice for Information Security, SM1.3.1, SM1.3.2; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 8.1.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.8.1.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 8.1.3; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § B.1.6; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.5.5

Banking and Finance Guidance

[Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Information Security]

ISO Guidance

All employees, contractors, and third parties should sign and agree to the terms of their employment contract, which should state the security responsibilities for both the employee and organization. The contract should state and clarify the following: Personnel are required to sign a confidentiality statement if access to sensitive information is required; the legal rights and responsibilities of personnel; responsibilities for the classification of information; responsibilities for handling personal information; responsibilities outside the office, such as working at home; and actions that will taken if the security requirements are not followed. [§ 8.1.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All employees and contractors should sign an employment contract. The contract should state their information security responsibilities. [Annex A.8.1.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

All employees, contractors, and third parties should sign and agree to the terms of their employment contract, which should state the security responsibilities for both the employee and organization. The contract should state and clarify the following: Personnel are required to sign a confidentiality statement if access to sensitive information is required; the legal rights and responsibilities of personnel; responsibilities for the classification of information; responsibilities for handling personal information; responsibilities outside the office, such as working at home; and actions that will taken if the security requirements are not followed. [§ 8.1.3, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should have procedures to ensure the quality and integrity of vendor staff that are directly involved in supporting the recovery services. These procedures should include personnel that are supplied by a vendor to maintain and repair equipment and facilities, both on and off site and provide permanent support as contracted staff. The staff contracts should include providing for replacements of the staff within predetermined and agreed upon times when they are not available or unable to perform their tasks and confirming the contract staff has any required security clearances. [§ 5.5.5, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should define and implement policies and procedures for controlling the activities of consultants and other contract personnel by the IT function to assure the protection of the organization's information assets and meet agreed contractual requirements. [PO4.14, CobiT, Version 4.1]

Information security responsibilities should be incorporated into all employee contracts. [SM1.3.1, SM1.3.2, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

Contract and notice periods should be set to 1 year or less. If a longer period is required for recruiting an outside director, the period should be reduced to 1 year or less after the initial period has passed. [§ B.1.6, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of staff who are assigned and who have acknowledged responsibilities for approved policies, standards, and procedures. [UCF Control ID 01680]